Session border control: The good, the bad, the ugly

Session border controllers do well in securing VoIP connections, but enterprises should carefully analyze whether they should manage those borders.

Prior to enterprise adoption of VoIP, session border control was considered arcane at best. In fact, short of actually engineering interfaces between carrier networks, border control was simply assumed to happen somewhere; after all, who cares how telephone carriers actually route traffic or manage network handoffs? Now, border control is becoming a critical aspect of securing enterprise networks and enabling traffic conditioning so that traffic flows smoothly between enterprise networks, carrier networks and the PSTN. Still, many IT professionals actively avoid session border control, and with good reason. While session management is an important arrow in the IT professional's quiver, it has several issues that may argue against enterprise self-provision in some situations.

The good: Why session border control matters

So why is session border control (SBC) important? Without dwelling terribly long on the subject, SBC is an important way for IT to secure its enterprise network. Services such as VoIP have generally had problems transiting enterprise network border security. On the one hand, as an IP-based data service, securing access through firewalls is desirable; yet firewalls can prevent such activities as call setup and completion or can make such new capabilities as unified communication problematic. Although tunneling through a firewall is certainly possible, doing so can compromise data security. SBC can not only enable VoIP to bypass data firewalls in a way that does not compromise security, it can actually provide more control over voice services generally by aggregating voice traffic. This is all to the good.

The bad: Obstacles of session border control

However, SBC also comes with its problems. For one thing, SBC can be a complex piece of technology: one that demands a certain amount of expertise to set up and maintain. Also, SBC is not a set-and-forget technology; as additions, moves and changes of voice service occur, the SBC must be configured to recognize them. IT must actively manage SBC devices, and this adds to IT overhead.

SBC also comes with some implications for quality of service (QoS). In complex call setup scenarios, traffic packets can be routed to an SBC device and then back again several times for each transmission. Depending on network architecture, this may mean a transit across a rather long call path -- and this introduces latency into the connection. These problems are certainly solvable, but once again, SBC requires yet another layer of design and oversight when developing network architectures.

The ugly: Who controls the session border?

Yet, the 600-pound gorilla in the room when considering SBC is who controls the session border controller. For the enterprise, it is obviously desirable to be able to secure network connections, yet the carrier -- whose network is being connected to -- is also concerned about such things as QoS, lawful intercept of voice traffic and management of the voice connection.

For these reasons, carriers who offer VoIP connectivity often want to manage the session border controller or specify the controller that the enterprise will use. This is clearly at odds with an enterprise that wants to mask its internal networks from external intrusion. SBC, from the standpoint of the carrier, breaks the end-to-end management of call completion and complicates regulatory obligations such as access to 911 services and call intercept.

Although the battle over control has generally been won in favor of enterprises, many carriers who offer SIP-based connections often make enterprise adoption of SBC technology more of an ordeal than it needs to be. Almost every SBC vendor has developed a rather complete repertoire of support solutions to ensure that carrier concerns are addressed; however, it is still possible to find carriers whose SIP trunking services come with recommended or required SBC vendor solutions.

Complicating this situation is the introduction of cloud-based session control. In this scenario, the SBC functionality is provided through a cloud service. Advantages are that the enterprise can offload a great deal of the management overhead associated with SBC maintenance. The drawback is that VoIP traffic latency can increase dramatically as it transits a much larger network.

Where to go for session border control

Nevertheless, SBC is an important solution for the IT professional. Although there are situations where it is simpler to depend on the carrier to provide session control, there are many where the virtues of enterprise SBC trump local control:

  • SBCs provide better security control.
  • SBCs allow for call aggregation.
  • SBCs give you the ability to use lower-cost SIP trunking.

IT professionals who have found that their responsibilities increase with the adoption of IP-based telephony will want to take a hard look at SBC technology as well as vendors for such technology. Top SBC vendors include (but are not limited to) Acme Packet, Adtran, Audicodes, Avaya, Cisco, Dialogic, Edgewater, Media and others.  These solution providers all have excellent professional service organizations that will provide basic tutorials and/or design support. Interested readers are invited to contact this author for vendor contacts if they wish.

For more information, read this guide on session border controllers

Dig Deeper on SIP and Unified Communications Standards